So I thought I'd make my first proper post a contribution to the knowledge on here by sharing my findings.
I'm not making a complete tutorial as I had to figure things out by taking the time to look and think, and I'm glad I did.
However if it can provide someone with a few pointers hopefully in the right direction all good.


First job was just studying the flash ROM in WinOLS

So I knew where the maps were because I study 2d shapes and number sequences really hard or I'm just lazy and found a DAMOSs or a2ls-
however regardless they come in compact blocks rather than scattered through the file.
To me it seemed a good hint there as to what is going on and how it links data to code.

It became even more clear when looking at a ROM file with more than one block of data.
Most maps shared the same last four digits in their address e.g A1234 B1234 with maps of the same function in the next block of data.

A quick hex sequence search for these addresses seemed to highlight a useful area


Its easier to spot on EDC15C than EDC15P but still clear enough. Now what would that be there for I thought...

On to the eternal question of DPP's.

Well if I knew where to find the data references then logically thats where the dpp's point.
Or even if they didn't and on startup the whole data block was transfered to another area; it doesn't really matter at least for now as the same code will be calling the same piece of data albeit from a different place.

So I loaded the file in IDA and to start with I converted nearly everything other than the map area into code. I could undefine later any bits which were not code.
So surely EDC15 follows the ME7's tradition of defining the DPP's soon in the code, it's running on the same hardware isn't it?
And sure enough I came across the relevant code.

So plugging it in suddenly I got:


Remember the slope? A bit of playing with offsets and labelling and it became easy to see which functions were calling the maps.

I'm no expert on code but whatever logic the subroutines take they need to follow the path shown in the Funktionsbeschreibung for the RAM values passed along and order of maps.
So follwing the xrefs took me to where the maps where being used in the subroutine

3 registers in a row then passed to a subroutine in the IROM for a 2d map. Wasn't to hard to imagine what the 2 other references were and start labelling.

Finally looking at the function in graph view is like reading the flow charts in the EDC15Funktionsbeschreibung.
I must have worn out google translate by now.



All functions sat there ready to start abusing, mutating, chopping and patching.

Now by no means am I saying everything I've done is 100% right, there's probably lots of mistakes I'm sure people smarter than me can see. And there's loads I don't know yet so any help would be much appreciated.
The work and information on the forum here is great so hopefully some development on this ECU can be encouraged from this.

Im quite noob in reverse engineering, but is it hard to add some functions to this ecu?

hey
can you tell me the addresses of
-IROM
-RAM
-flash

hey,
thanks for the reply
just to be clear-
-I loaded the IROM at 0x0000 upto 0x7FFFh
-Loaded the flash at 0x8000(paragraphs)

The IROM was disassembled automatically by IDA. But the flash wasnt. I understand that it has to be done manually or by a script. But how would i recognize data from code? I tried manually decoding but the data xrefs were going beyond the size of the flash area.
what am i doing wrong?
regards

yes, I have read the memory map part of the c167 user manual.
the 00'F000h...00'FFFFh addresses are shown as IRAM,ESFR's,etc by IDA.
So the IROM is loaded at the correct address.
I'll try reloading the flash at 0x80000

Thanks a lot for your help, really appreciate it!

PS: did you use a script for converting flash data to code?

Bump?

hey Tim, thanks for the reply

0x4000 corresponds to 16kB so by dividing the address by 0x4000 will give the data page number in hex

so the first data block is at dp 0x33 and second at 0x3b.

looking at the xrefs for dpp0,1,2,3; none of these are set to 0x33 or 0x3b by any of the code xrefs.

also you said that a lot of ram is being moved. but the addresses being referred to are not part of the RAM. The RAM begins at 0xF600h but the data is being moved from locations like 0xC020h

edit: i had forgotten to add 0x80000 offset while calaculating the data page numbers. but even these are not set by any code.

im having trouble in correcting checksum for edc15p. it uses vag41-2002 checksum algorithm.

i made a change in unused flash memory(no maps or code).

winols, vagchkfix and mpps say that checksum is fixed but ecu doesn't boot. This happens only if the change is made in area 14000- 4FFFF. any other area I can change and checksum will be correct and ecu boots.

which tool do y'all use to correct checksum?
is there any way to disable the checksum function? I have identified the checksum routine(it is the only routine using seeds 0x8631 and 0xEFCD) what should i do to disable it?

i was planning on implementing new functions but have hit a dead end cause of this checksum issue.

regards